dep updates/header changes/tls changes

Signed-off-by: Zoey <zoey@z0ey.de> - dep updates - upodate nginx/certbot - improve headers - change NPM to NPMplus in launch.sh - when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers
2025-08-02 23:43:36 +00:00 · 2023-10-12 01:35:04 +00:00
parent 36298f284d
commit 8987ff9c6d
14 changed files with 44 additions and 26 deletions
--- a/.github/workflows/js.yml
+++ b/.github/workflows/js.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
        with:
          node-version: 19
      - name: eslint
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -14,4 +14,4 @@ jobs:
        with:
          check_together: 'yes'
        env:
-          SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153
+          SHELLCHECK_OPTS: --shell sh -e SC1091 -e SC2153 -e SC2154
--- a/Caddy.Dockerfile
+++ b/Caddy.Dockerfile
@@ -1,3 +1,3 @@
-FROM caddy:2.7.4
+FROM caddy:2.7.5
 RUN apk add --no-cache ca-certificates tzdata
 COPY Caddyfile /etc/caddy/Caddyfile
--- a/10
+++ b/10
@@ -30,13 +30,6 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
    yarn cache clean --all
 FROM python:3.12.0-alpine3.18 as certbot
 ENV PATH="/usr/local/certbot/bin:$PATH"
 RUN apk add --no-cache ca-certificates build-base libffi-dev && \
    python3 -m venv /usr/local/certbot && \
    pip install --no-cache-dir certbot
 FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
 WORKDIR /src
 RUN apk add --no-cache ca-certificates git build-base && \
@@ -52,8 +45,9 @@ RUN apk add --no-cache ca-certificates git build-base && \
    sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
    sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 FROM zoeyvid/certbot-docker:10 as certbot
-FROM zoeyvid/nginx-quic:206
+FROM zoeyvid/nginx-quic:210
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY rootfs /
 RUN apk add --no-cache ca-certificates tzdata tini \
--- a/README.md
+++ b/README.md
@@ -2,11 +2,12 @@
 # NPMplus
 This project comes as a pre-built docker image that enables you to easily forward to your websites
-running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
+running at home or otherwise, including free TLS, without having to know too much about Nginx or Certbot.
 - [Quick Setup](#quick-setup)
 <!---
 - [Screenshots](https://nginxproxymanager.com/screenshots)
-
+--->
 **Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
 **Note: Reloading the NPMplus UI can cause a 502 error. See https://github.com/ZoeyVid/NPMplus/issues/241.** <br>
--- a/backend/package.json
+++ b/backend/package.json
@@ -16,7 +16,7 @@
    "gravatar": "1.8.2",
    "jsonwebtoken": "9.0.2",
    "knex": "3.0.1",
-    "liquidjs": "10.9.2",
+    "liquidjs": "10.9.3",
    "lodash": "4.17.21",
    "moment": "2.29.4",
    "mysql": "2.18.1",
@@ -29,7 +29,7 @@
  "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
  "license": "MIT",
  "devDependencies": {
-    "eslint": "8.51.0",
+    "eslint": "8.52.0",
    "eslint-plugin-align-assignments": "1.1.2"
  }
 }
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@@ -1,7 +1,19 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
  more_clear_headers "Expect-CT";
  include conf.d/include/hsts.conf;
 {% endif %}
 {% endif %}
 {% endif %}
 {% unless certificate and certificate_id > 0 -%}
 {% unless ssl_forced == 1 or ssl_forced == true %}
 {% unless hsts_enabled == 1 or hsts_enabled == true %}
  more_clear_headers "Content-Security-Policy";
  more_clear_headers "Expect-CT";
  more_clear_headers "Strict-Transport-Security";
 {% endunless  %}
 {% endunless  %}
 {% endunless  %}
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -10,7 +10,10 @@
  listen 443 quic;
  listen [::]:443 quic;
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  more_set_headers "Alt-Svc: h3=':443'; ma=86400";
 {% endif %}
 {% endif %}
 {% unless hsts_subdomains %}
  more_clear_headers "Alt-Svc";
 {% endunless %}
  server_name {{ domain_names | join: " " }};
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -4,7 +4,7 @@
  "description": "A beautiful interface for creating Nginx endpoints",
  "main": "js/index.js",
  "dependencies": {
-    "@babel/core": "7.23.0",
+    "@babel/core": "7.23.2",
    "babel-core": "6.26.3",
    "babel-loader": "8.3.0",
    "babel-preset-env": "1.7.0",
--- a/global/certbot-dns-plugins.js
+++ b/global/certbot-dns-plugins.js
@@ -331,6 +331,13 @@ dns_luadns_token = 0123456789abcdef0123456789abcdef`,
 		full_plugin_name: 'dns-luadns',
 	},
 	//####################################################//
 /**	multi: {
 *		display_name:        'DNS multi',
 *		package_name:        'certbot-dns-multi',
 *		credentials:         `# see https://github.com/alexzorin/certbot-dns-multi`,
 *		full_plugin_name: 'dns-multi',
 *	},
 **/	//####################################################//
 	namecheap: {
 		display_name:        'Namecheap',
 		package_name:        'certbot-dns-namecheap',
--- a/rootfs/bin/launch.sh
+++ b/rootfs/bin/launch.sh
@@ -3,10 +3,10 @@
 echo "
 -------------------------------------
 _ _  ___  __ __       _          
-| \ | |  _ \|  \/  |
+| \ || . \|  \  \ ___ | | _ _  ___
-|  \| | |_) | |\/| |
+|   ||  _/|     || . \| || | |[_-[
-| |\  |  __/| |  | |
+|_\_||_|  |_|_|_||  _/|_| \__|/__/
-|_| \_|_|   |_|  |_|
+                 |_|               
 -------------------------------------
 Version:  $(jq -r .version /app/package.json)
 Date:     $(date)
--- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
@@ -4,5 +4,4 @@ more_set_headers "X-Content-Type-Options: nosniff";
 more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
 more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
 more_set_headers "Expect-CT: enforce; max-age=86400";
 more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
--- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
@@ -6,7 +6,9 @@ proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Accept-Encoding "";
 proxy_set_header Host $host;
-proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
+proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-proxy_http_version 1.1;
+proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 proxy_http_version 1.1;
 proxy_hide_header Upgrade;
 proxy_pass $forward_scheme://$server:$port$request_uri;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@@ -7,6 +7,6 @@ ssl_session_tickets off;
 ssl_dhparam /etc/tls/dhparam;
 # intermediate configuration. tweak to your needs.
-ssl_protocols TLSv1.3 TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers on;